MapReduce for ParallelTrace Validation of LTL Properties

Benjamin Barre, Mathieu Klein, Maxime Soucy-Boivin,Pierre-Antoine Ollivier and Sylvain Hallé

Université du Québec à ChicoutimiCANADA

CRSNGNSERC

Fonds de rechercheNature ettechnologies

System

System

System

Instrumentation

System

Instrumentation

System

Instrumentation

Trace

System

Instrumentation

Trace

Events

System

Instrumentation

Trace

Events

System

Instrumentation

Trace

Events

Tracevalidation

Iterator<T>

Iterator<T>

hasNext

next

Iterator<T>

hasNext

next

A call to next must be precededby a call to hasNext

B

A

B

A

No CartCreate request can occurbefore a LoginResponse message

Login

Login

Three successive login attemptsshould trigger an alarm

Receive order

Receive orderReady?

Receive orderReady? Yes

Receive orderReady? Yes

File order

No Ship

Receive orderReady? Yes

File order

No Ship

A received order must eventuallybe shipped

A

0 1 2 3 4 . . .

a a b c b

ℕ

A trace m is a mapping from ℕ tothe set of events :

ALet be a set of event symbols.

A

Groundterms

→¬∧→¬∧

Booleanconnectives

Temporaloperators

XGFU

nextgloballyeventuallyuntil

+ +

= Linear Temporal Logic

A

0 1 2 3 4 . . .

a a b c b

ℕ

ΦLet be the set of all possible LTL formulas.

The function ℒ : Φ → 2 labels each state witha set of LTL formulas

ℕ

a∧b

a∧b

G (a→b)

b∨c

b∨c

a∧b

G (a→b)

ℒ(a∧b) = {0,1,4,...}Example:

ℒ

A

0 1 2 3 4 . . .

a a b c b

ℕ

ΦLet be the set of all possible LTL formulas.

The function ℒ : Φ → 2 labels each state witha set of LTL formulas

ℕ

i ∈ ℒ(φ∨ψ) ⇔ i ∈ ℒ(φ) or i ∈ ℒ(ψ)i ∈ ℒ(φ∧ψ) ⇔ i ∈ ℒ(φ) and i ∈ ℒ(ψ)i ∈ ℒ(¬φ) ⇔ i ∉ ℒ(φ)

i ∈ ℒ(G φ) ⇔ j ∈ ℒ(φ) for all j ≥ ii ∈ ℒ(X φ) ⇔ i+1 ∈ ℒ(φ)

i ∈ ℒ(F φ) ⇔ j ∈ ℒ(φ) for some j ≥ ii ∈ ℒ(φ U ψ) ⇔ j ∈ ℒ(ψ) for some j ≥ i and

k ∈ ℒ(φ) for all j ≥ k ≥ i

i ∈ ℒ(a) ⇔ m(i) = a

i ∈ ℒ(φ) exactly when the tracem(i), m(i+1), ... satisfies φ

Theorem

ψφ σ

0 1 2 3 4 . . .

ψφ σ

i ∈ ℒ(φ) exactly when the tracem(i), m(i+1), ... satisfies φ

Theorem

ψφ σ

0 1 2 3 4 . . .

ψφ σ

0 ∈ ℒ(φ) ⇔ m ⊧ φ

Therefore...

A call to next must be followed by a callto hasNext

No CartCreate request can occurbefore a LoginResponse message

A received order must eventuallybe shipped

Three successive login attempts shouldtrigger an alarm

A call to next must be followed by a callto hasNext

No CartCreate request can occurbefore a LoginResponse message

A received order must eventuallybe shipped

Three successive login attempts shouldtrigger an alarm

G (next → X hasNext)

A call to next must be followed by a callto hasNext

No CartCreate request can occurbefore a LoginResponse message

A received order must eventuallybe shipped

Three successive login attempts shouldtrigger an alarm

G (next → X hasNext)

¬ CartCreate U hasNext

A call to next must be followed by a callto hasNext

No CartCreate request can occurbefore a LoginResponse message

A received order must eventuallybe shipped

Three successive login attempts shouldtrigger an alarm

G (next → X hasNext)

¬ CartCreate U hasNext

G (receive → F ship)

A call to next must be followed by a callto hasNext

No CartCreate request can occurbefore a LoginResponse message

A received order must eventuallybe shipped

Three successive login attempts shouldtrigger an alarm

G (next → X hasNext)

¬ CartCreate U hasNext

G (receive → F ship)

G ¬(fail ∧ (X (fail ∧ X fail)))

Iterator<T> Java MOP

21 3 4 5

The trace mustbe read linearly

The algorithm works on asingle process / core / sitex1

�

�

1

10

100

1,000

10,000

100,000

1,000,000

10,000,000

1970 1980 1990 2000 2010

1

10

100

1,000

10,000

100,000

1,000,000

10,000,000

1970 1980 1990 2000 2010

Transistors (x1000)

1

10

100

1,000

10,000

100,000

1,000,000

10,000,000

1970 1980 1990 2000 2010

Transistors (x1000)

CPU Speed

(MHz)

f∞PageRank

a 1

KeyValue

Tuple (baaah){

Data source

Data source

IIInput reader

Data source

IIInput reader

. . .2 7a z

2a. . . 2a

2a. . . 2a M

Mapper

2a. . . 2a M

Mapper

2a. . .6w

a 23 g

a

3b3 b

2a. . . 2a M

Mapper

2a. . .6w

3 aa 2

3a3a

b 9 3 ae 83a

bb

a

ab

Shuffling

3 ae 8

ba

. . .

b

. . .

b

aa

bd

a

a

a 2

3a

b

b 9

aa2a 2 3a

b9b

aa2a 2 3a

b9b

Ra

Rb

Reducer

aa2a 2 3a

b9b

Ra

Rb

Reducer

. . .z 8 x 2

e 7 i 0

a b a a b a

a b a a b a

ab

ba

a a

a b a a b a

ab

ba

a a I

a b a a b a

ab

ba

a a I〈a,1〉

〈a,1〉

a b a a b a

ab

ba

a a I〈a,1〉

〈a,1〉

〈b,1〉

〈a,1〉I

I〈a,1〉

〈b,1〉

a b a a b a

ab

ba

a a I〈a,1〉

〈a,1〉

〈b,1〉

〈a,1〉I

I〈a,1〉

〈b,1〉

a b a a b a

ab

ba

a a I〈a,1〉

〈a,1〉

〈b,1〉

〈a,1〉I

I〈a,1〉

〈b,1〉

a b a a b a

ab

ba

a a I〈a,1〉

〈a,1〉

〈b,1〉

〈a,1〉I

I〈a,1〉

〈b,1〉

Ra

a b a a b a

ab

ba

a a I〈a,1〉

〈a,1〉

〈b,1〉

〈a,1〉I

I〈a,1〉

〈b,1〉

Ra 〈a,4〉

a b a a b a

ab

ba

a a I〈a,1〉

〈a,1〉

〈b,1〉

〈a,1〉I

I〈a,1〉

〈b,1〉

Ra 〈a,4〉

〈b,2〉Rb

a b a a b a

ab

ba

a a I〈a,1〉

〈a,1〉

〈b,1〉

〈a,1〉I

I〈a,1〉

〈b,1〉

Ra 〈a,4〉

〈b,2〉Rb

GG ∧∧

Subformula

Superformula

Formula

Subformula Subformula

Superformula

1

0

2

3

∧

a c b

¬ F

G

1

0

2

4Height

→3

1

0

2

3

∧

a c b

¬ F

G

1

0

2

4Height

→3

¬c has height 1G ((a ∧¬c) → F b) has height 4

i ∈ ℒ(φ∨ψ) ⇔ i ∈ ℒ(φ) or i ∈ ℒ(ψ)i ∈ ℒ(φ∧ψ) ⇔ i ∈ ℒ(φ) and i ∈ ℒ(ψ)i ∈ ℒ(¬φ) ⇔ i ∉ ℒ(φ)

i ∈ ℒ(G φ) ⇔ j ∈ ℒ(φ) for all j ≥ ii ∈ ℒ(X φ) ⇔ i+1 ∈ ℒ(φ)

i ∈ ℒ(F φ) ⇔ j ∈ ℒ(φ) for some j ≥ ii ∈ ℒ(φ U ψ) ⇔ j ∈ ℒ(ψ) for some j ≥ i and

k ∈ ℒ(φ) for all j ≥ k ≥ i

i ∈ ℒ(a) ⇔ m(i) = a

The labelling of a formula depends onlyon labellings of formulas of strictly lower height

i ∈ ℒ(φ∨ψ) ⇔ i ∈ ℒ(φ) or i ∈ ℒ(ψ)i ∈ ℒ(φ∧ψ) ⇔ i ∈ ℒ(φ) and i ∈ ℒ(ψ)i ∈ ℒ(¬φ) ⇔ i ∉ ℒ(φ)

i ∈ ℒ(G φ) ⇔ j ∈ ℒ(φ) for all j ≥ ii ∈ ℒ(X φ) ⇔ i+1 ∈ ℒ(φ)

i ∈ ℒ(F φ) ⇔ j ∈ ℒ(φ) for some j ≥ ii ∈ ℒ(φ U ψ) ⇔ j ∈ ℒ(ψ) for some j ≥ i and

k ∈ ℒ(φ) for all j ≥ k ≥ i

i ∈ ℒ(a) ⇔ m(i) = a

The labelling of a formula depends onlyon labellings of formulas of strictly lower height

All labellings of formulas of same height are independent

⇒

i ∈ ℒ(φ∨ψ) ⇔ i ∈ ℒ(φ) or i ∈ ℒ(ψ)i ∈ ℒ(φ∧ψ) ⇔ i ∈ ℒ(φ) and i ∈ ℒ(ψ)i ∈ ℒ(¬φ) ⇔ i ∉ ℒ(φ)

i ∈ ℒ(G φ) ⇔ j ∈ ℒ(φ) for all j ≥ ii ∈ ℒ(X φ) ⇔ i+1 ∈ ℒ(φ)

i ∈ ℒ(F φ) ⇔ j ∈ ℒ(φ) for some j ≥ ii ∈ ℒ(φ U ψ) ⇔ j ∈ ℒ(ψ) for some j ≥ i and

k ∈ ℒ(φ) for all j ≥ k ≥ i

i ∈ ℒ(a) ⇔ m(i) = a

The labelling of a formula depends onlyon labellings of formulas of strictly lower height

All labellings of formulas of same height are independent

⇒

⇒ They can be computed in parallel

i ∈ ℒ(φ∨ψ) ⇔ i ∈ ℒ(φ) or i ∈ ℒ(ψ)i ∈ ℒ(φ∧ψ) ⇔ i ∈ ℒ(φ) and i ∈ ℒ(ψ)i ∈ ℒ(¬φ) ⇔ i ∉ ℒ(φ)

i ∈ ℒ(G φ) ⇔ j ∈ ℒ(φ) for all j ≥ ii ∈ ℒ(X φ) ⇔ i+1 ∈ ℒ(φ)

i ∈ ℒ(F φ) ⇔ j ∈ ℒ(φ) for some j ≥ ii ∈ ℒ(φ U ψ) ⇔ j ∈ ℒ(ψ) for some j ≥ i and

k ∈ ℒ(φ) for all j ≥ k ≥ i

i ∈ ℒ(a) ⇔ m(i) = a

M

Input: tuples 〈φ,(n,i)〉

M

Input: tuples 〈φ,(n,i)〉

“ n ∈ ℒ(φ), and the last cycle has evaluatedlabellings for formulas of height i ”

M

Input: tuples 〈φ,(n,i)〉

“ n ∈ ℒ(φ), and the last cycle has evaluatedlabellings for formulas of height i ”

M “Lift” ℒ(φ) to superformulas of φ

Input: tuples 〈φ,(n,i)〉

“ n ∈ ℒ(φ), and the last cycle has evaluatedlabellings for formulas of height i ”

M “Lift” ℒ(φ) to superformulas of φ

Output: tuples 〈ψ,(φ,n,i)〉

“ n ∈ ℒ(φ), the last cycle has evaluatedlabellings for formulas of height i, andφ is a subformula of ψ ”

Input: tuples 〈φ,(n,i)〉

“ n ∈ ℒ(φ), and the last cycle has evaluatedlabellings for formulas of height i ”

M “Lift” ℒ(φ) to superformulas of φ

Output: tuples 〈ψ,(φ,n,i)〉

Rψ

Rψ

Input:〈ψ,(φ,n,i)〉

Rψ

Input:〈ψ,(φ,n,i)〉

“ n ∈ ℒ(φ), the last cyclehas evaluated labellings forformulas of height i, andφ is a subformula of ψ ”

Rψ

Input:〈ψ,(φ,n,i)〉

Compute ℒ(ψ)

“ n ∈ ℒ(φ), the last cyclehas evaluated labellings forformulas of height i, andφ is a subformula of ψ ”

Rψ

Input:〈ψ,(φ,n,i)〉

Compute ℒ(ψ)

“ n ∈ ℒ(φ), the last cyclehas evaluated labellings forformulas of height i, andφ is a subformula of ψ ”

Output:〈ψ,(n,i+1)〉

Rψ

Input:〈ψ,(φ,n,i)〉

Compute ℒ(ψ)

“ n ∈ ℒ(φ), the last cyclehas evaluated labellings forformulas of height i, andφ is a subformula of ψ ”

Output:〈ψ,(n,i+1)〉

“ n ∈ ℒ(ψ), and the lastcycle has evaluatedlabellings for formulas of height i+1

I

I

Input: events (a,n)

I

Input: events (a,n)

Output: tuples 〈ψ,(a,n,0)〉

. . .

“ n ∈ ℒ(a), the last cycle has evaluatedlabellings for formulas of height 0, anda is a subformula of ψ ”

W

Input: 〈ψ,(n,i)〉

W

Input: 〈ψ,(n,i)〉

W

Output:

True if 〈ψ,(0,i)〉is read

False otherwise

1

2

3

. . .II

RR

R

RR

R

R

RW

. . .

1

2

3

. . .II

RR

R

RR

R

R

RW

. . .

InputReaders generate the first tuples fromthe trace chunks

1

2

3

. . .II

RR

R

RR

R

R

RW

. . .

The tuples are shuffled to reducers that compute thelabelling ℒ for formulas of height 1

1

2

3

. . .II

RR

R

RR

R

R

RW

. . .

Mappers copy the labellings into tuples marked bysuperformulas of height 2

1

2

3

. . .II

RR

R

RR

R

R

RW

. . .

Each reducer computes the labelling of a formula ofheight 2 from the labelling of its subformulas

1

2

3

. . .II

RR

R

RR

R

R

RW

. . .

Mappers copy the labellings into tuples marked bysuperformulas of height 3

1

2

3

. . .II

RR

R

RR

R

R

RW

. . .

Each reducer computes the labelling of a formula ofheight 3 from the labelling of its subformulas

1

2

3

. . .II

RR

R

RR

R

R

RW

. . .

An output writer collects the resulting tuples, andoutputs “true” if it encounters a tuple for state 0

⊨ G (¬a → F b)?

a a b c b a

⊨ G (¬a → F b)?

a a b c b a

(a,0)

(a,1)

(a,5)

(b,2)

(c,3)

(b,4)

0HEIGHT

⊨ G (¬a → F b)?

a a b c b a

(a,0)

(a,1)

(a,5)

(b,2)

(c,3)

(b,4)

0HEIGHT

I

I

I

⊨ G (¬a → F b)?

a a b c b a

(a,0)

(a,1)

(a,5)

(b,2)

(c,3)

(b,4)

0HEIGHT

I

I

I

〈¬a,(a,0)〉

〈¬a,(a,1)〉

〈¬a,(a,5)〉

〈F b,(b,4)〉

〈F b,(b,2)〉

1HEIGHT

⊨ G (¬a → F b)?

a a b c b a

(a,0)

(a,1)

(a,5)

(b,2)

(c,3)

(b,4)

0HEIGHT

I

I

I

〈¬a,(a,0)〉

〈¬a,(a,1)〉

〈¬a,(a,5)〉

〈F b,(b,4)〉

〈F b,(b,2)〉

1HEIGHT

R¬a

RF b

⊨ G (¬a → F b)?

a a b c b a

(a,0)

(a,1)

(a,5)

(b,2)

(c,3)

(b,4)

0HEIGHT

I

I

I

〈¬a,(a,0)〉

〈¬a,(a,1)〉

〈¬a,(a,5)〉

〈F b,(b,4)〉

〈F b,(b,2)〉

1HEIGHT

R¬a

RF b

〈¬a,2〉〈¬a,3〉〈¬a,4〉

〈F b,0〉

〈F b,1〉

〈F b,2〉

〈F b,3〉

〈F b,4〉

⊨ G (¬a → F b)?

a a b c b a

〈¬a,2〉〈¬a,3〉〈¬a,4〉

〈F b,0〉〈F b,1〉〈F b,2〉

〈F b,3〉〈F b,4〉

M

M

M

2HEIGHT

⊨ G (¬a → F b)?

a a b c b a

〈¬a,2〉〈¬a,3〉〈¬a,4〉

〈F b,0〉〈F b,1〉〈F b,2〉

〈F b,3〉〈F b,4〉

M

M

M

2HEIGHT

〈¬a → F b,(¬a,2)〉〈¬a → F b,(¬a,3)〉〈¬a → F b,(¬a,4)〉

〈¬a → F b,(F b,0)〉〈¬a → F b,(F b,1)〉〈¬a → F b,(F b,2)〉

〈¬a → F b,(F b,3)〉

〈¬a → F b,(F b,4)〉

⊨ G (¬a → F b)?

a a b c b a

〈¬a,2〉〈¬a,3〉〈¬a,4〉

〈F b,0〉〈F b,1〉〈F b,2〉

〈F b,3〉〈F b,4〉

M

M

M

2HEIGHT

〈¬a → F b,(¬a,2)〉〈¬a → F b,(¬a,3)〉〈¬a → F b,(¬a,4)〉

〈¬a → F b,(F b,0)〉〈¬a → F b,(F b,1)〉〈¬a → F b,(F b,2)〉

〈¬a → F b,(F b,3)〉

〈¬a → F b,(F b,4)〉

R¬a →

F b

⊨ G (¬a → F b)?

a a b c b a

〈¬a,2〉〈¬a,3〉〈¬a,4〉

〈F b,0〉〈F b,1〉〈F b,2〉

〈F b,3〉〈F b,4〉

M

M

M

2HEIGHT

〈¬a → F b,(¬a,2)〉〈¬a → F b,(¬a,3)〉〈¬a → F b,(¬a,4)〉

〈¬a → F b,(F b,0)〉〈¬a → F b,(F b,1)〉〈¬a → F b,(F b,2)〉

〈¬a → F b,(F b,3)〉

〈¬a → F b,(F b,4)〉

R¬a →

F b

〈¬a → F b,2〉〈¬a → F b,1〉〈¬a → F b,0〉

〈¬a → F b,3〉〈¬a → F b,4〉〈¬a → F b,5〉

⊨ G (¬a → F b)?

a a b c b a

M

M

M

〈¬a → F b,2〉

〈¬a → F b,1〉〈¬a → F b,0〉

〈¬a → F b,3〉

〈¬a → F b,4〉〈¬a → F b,5〉

3HEIGHT

⊨ G (¬a → F b)?

a a b c b a

M

M

M

〈¬a → F b,2〉

〈¬a → F b,1〉〈¬a → F b,0〉

〈¬a → F b,3〉

〈¬a → F b,4〉〈¬a → F b,5〉

3HEIGHT

〈G (¬a → F b), (¬a → F b,0)〉

〈G (¬a → F b), (¬a → F b,1)〉

〈G (¬a → F b), (¬a → F b,2)〉

〈G (¬a → F b), (¬a → F b,3)〉

〈G (¬a → F b), (¬a → F b,4)〉

〈G (¬a → F b), (¬a → F b,5)〉

⊨ G (¬a → F b)?

a a b c b a

M

M

M

〈¬a → F b,2〉

〈¬a → F b,1〉〈¬a → F b,0〉

〈¬a → F b,3〉

〈¬a → F b,4〉〈¬a → F b,5〉

3HEIGHT

〈G (¬a → F b), (¬a → F b,0)〉

〈G (¬a → F b), (¬a → F b,1)〉

〈G (¬a → F b), (¬a → F b,2)〉

〈G (¬a → F b), (¬a → F b,3)〉

〈G (¬a → F b), (¬a → F b,4)〉

〈G (¬a → F b), (¬a → F b,5)〉

RG (¬a→ F b)

⊨ G (¬a → F b)?

a a b c b a

M

M

M

〈¬a → F b,2〉

〈¬a → F b,1〉〈¬a → F b,0〉

〈¬a → F b,3〉

〈¬a → F b,4〉〈¬a → F b,5〉

3HEIGHT

〈G (¬a → F b), (¬a → F b,0)〉

〈G (¬a → F b), (¬a → F b,1)〉

〈G (¬a → F b), (¬a → F b,2)〉

〈G (¬a → F b), (¬a → F b,3)〉

〈G (¬a → F b), (¬a → F b,4)〉

〈G (¬a → F b), (¬a → F b,5)〉

RG (¬a→ F b)

〈G (¬a → F b),0〉〈G (¬a → F b),1〉〈G (¬a → F b),2〉〈G (¬a → F b),3〉〈G (¬a → F b),4〉〈G (¬a → F b),5〉

⊨ G (¬a → F b)?

a a b c b a

W〈G (¬a → F b),0〉〈G (¬a → F b),1〉〈G (¬a → F b),2〉〈G (¬a → F b),3〉〈G (¬a → F b),4〉〈G (¬a → F b),5〉

4HEIGHT

⊨ G (¬a → F b)?

a a b c b a

W〈G (¬a → F b),0〉〈G (¬a → F b),1〉〈G (¬a → F b),2〉〈G (¬a → F b),3〉〈G (¬a → F b),4〉〈G (¬a → F b),5〉

4HEIGHT

True

The trace can be stored inseparate (and non-contiguous)chunks

Mappers and reducers of agiven height can operate

in parallel

� (a,0) (b,2)(a,1) (c,3)

(a,5) (b,4)

�R

RR

MM

M

Tests on 500 randomly-generated traces

From 1 to 100,000 events

Each event contains 10 parametersnamed p₀ to p₉ with 10 possible values

G p₀ ≠ 0

G (p₀ = 0 → X p₁ = 0)

∀x ∈ [0,9] : G (p₀ = x → X p₁ = x)

∃m ∈ [0,9] : ∀x ∈ [0,9] : G (p = x → X X p ≠ x)m m

1

2

3

4

Validation of 4 LTL formulas:

PropertyTuples

Time/eventSequential ratio

Inferred time

55 k19 μs100%19 μs

120 k23 μs92%21 μs

600 k75 μs92%14 μs

5 M985 μs

3%30 μs

1 2 3 4

MQuestions?